File System Artifacts

• /etc/passwd: User account info (usernames, UIDs)
• /etc/shadow: Password hashes (root-only access)
• /etc/group: Group memberships
• /home//: User files and configs
• .bash_history / .zsh_history: Shell command history
• /var/log/lastlog: Last login times per user
• /var/log/wtmp & /var/log/btmp: Login/logout records (use last, lastb)

Log Files

• /var/log/syslog: General system activity (Debian/Ubuntu)
• /var/log/messages: General logs (RHEL/CentOS)
• /var/log/auth.log: Authentication events (SSH, sudo, su)
• /var/log/secure: RHEL auth log equivalent
• /var/log/kern.log: Kernel events
• /var/log/faillog: Failed login attempts

Process & Execution Artifacts

• ps aux / top / htop: Running processes
• /proc//: Live process details
• cron jobs:
  • crontab -l, /etc/crontab, /etc/cron.*
• Systemd Services: systemctl list-units --type=service
• Startup Scripts:
  • /etc/init.d/, /etc/rc*.d/, /etc/systemd/system/

Network Artifacts

• Active Connections: netstat -tunap, ss -tunap
• Interfaces: ip a, ifconfig
• ARP Table: arp -a
• DNS Cache: systemd-resolve --statistics, resolvectl (if applicable)
• iptables Rules: iptables -L -v -n

User Artifacts

• Login History: last, lastlog, who, w
• SSH Keys: ~/.ssh/authorized_keys, known_hosts, id_rsa
• .bashrc / .profile / .bash_logout: Modified shell behavior
• Mounted Devices: mount, /etc/fstab, lsblk, df -h
• USB Devices: dmesg, /var/log/syslog, /dev/ entries

Tools

• LiME: Memory acquisition
• AVML: Azure memory acquisition (cross-platform)
• Volatility, Rekall: Memory analysis
• The Sleuth Kit: Disk forensics
• Plaso / log2timeline: Timeline generation
• auditd: Security event auditing (if enabled)

Use live collection scripts with care. Always mount forensic images read-only. Respect timestamps like they’re sacred.

Happy Investigating!